SEC Asks Companies to Disclose Cyberattacks, Data Breaches

Below:

Next story in Security

The Securities and Exchange Commission (SEC) has formally asked
publicly traded companies in the U.S. to disclose when they've
been hacked or suffered a data breach. The request could
drastically alter how corporations traditionally handle
cybercrime attacks and the amount of staff and effort they use to
prevent such incidents.

The SEC
guidance, issued yesterday (Oct. 13), calls for corporations
to disclose "timely, comprehensive, and accurate information"
regarding any cybercrime incident that has a financial impact on
the company or could mislead investors.

Though it sounds straightforward and reasonable from an
investor's perspective, there is currently no federal mandate
requiring a corporation to let anyone know if it's suffered a
cyberattack. This new direction from the SEC — it is a formal
guidance, but not a law — could cause big businesses, if they
choose to adhere to the guidance, to face the public when
hit by hackers instead of hiding behind a veil of secrecy.

Why disclose when you don't have to?

"Underreporting of IT security incidents has been a perennial
problem for decades," Steve Santorelli, director of global
outreach at the Internet security research group Team Cymru, told
SecurityNewsDaily. A former Scotland Yard police officer,
Santorelli says corporations systematically underestimate the
problems they face from hackers.

Chester Wisniewski, senior security advisor for the security firm
Sophos, told SecurityNewsDaily that the majority of companies
choose not to come forward because "the risk to their reputation
and loss of confidence from customers and investors is too high."

"Most incidents are not even reported to law enforcement in my
experience," Wisniewski added. He did single out Google for
choosing to come forward after the 2009 "Aurora" breach in which
it, along with hundreds of other companies, were hit by
China-based hackers.

The SEC guidance will cause a flood of breach
disclosures

Under the new SEC guidance, Santorelli and Wisniewski believe
there will be a major uptick in data breach disclosures from
companies who've traditionally swept such incidents under the
rug.

Wisniewski referenced Massachusetts's data breach law, which led
to a rise in disclosures after mandating that companies must
report when personally identifiable information is stolen or
compromised. "If you now include anything that may increase
financial liability or have a material impact on the
profitability of a business, you are likely to see another
reporting spike," Wisniewski told SecurityNewsDaily.

Or it won't

However, the SEC's guidance is not a law, and Kurt Baumgartner,
senior security researcher at the security firm Kaspersky Lab,
does not expect big businesses to change their policies to comply
with a suggestion.

"The guidance will most likely not result in a dramatic increase
of breach reports," Baumgartner told SecurityNewsDaily. "The text
is printed as 'guidance' by the commission and it has not passed
as new regulation." Only "solid, uniform,
federal breach notification legislation " would force
corporations to come forward and report breaches, he said.

Baumgartner said the most surprising aspect to this issue is that
while companies are sometimes able to stay silent and keep their
investors in the dark, they face few repercussions, even after
massive incidents that result in millions of dollars lost.

"The problem [of data breaches] is much larger than what has been
reported," Baumgartner said. He quoted Senator Jay Rockefeller
(D-W.Va.), chairman of the Senate Commerce Committee, who
"estimated that intellectual property worth billions of dollars
has been stolen. Perhaps the senator should add some zeroes to
that figure if we are discussing the past ten years of
cyber theft and espionage."

Data breaches are making companies — and cybercriminals —
smarter

Recent high-profile victims of network intrusions, part of an
unfortunately long list, include
Google, Morgan Stanley, Sony, Stanford Hospital, Epsilon Yale
University and security-token maker RSA.

"The events and major breaches of this year to date have really
served to bring these issues to the fore of public debate, and
that's obviously a positive step," Santorelli said.

So if the SEC guidance urges companies to invest more in IT and
security, companies would have the advantage over the criminals
trying to steal their sensitive information, right? Not
necessarily, Baumgartner said.

While the headline-making hacks have made corporate security a
hot topic and drawn talented professionals to the frontlines,
Baumgartner said cybercriminals have upped their game as well.
"The attackers are shaking it up, because they are picking apart
existing security, forcing innovation and real attention to the
matter."

Will companies start to take security more
seriously?

As with any other business dealing, money is the main driving
factor in whether or not corporations will start taking
precautions to prevent a cybercrime incident that they would then
feel compelled to disclose.

"Economics has always driven decisions in the business world,"
Santorelli said. "If you get a reputation for poor security, that
can be seen as a major competitive advantage for your rivals."
However, if there are industry requirements that force companies
to disclose cybercrime incidents, "then arguably the decision to
disclose is taken out of the hands of the victim company."

Baumgartner is confident that companies will take steps to
increase security, but fears that such reinforcements might not
come in time to prevent the next major cyberattack.

He told SecurityNewsDaily that because of the recession, "States
and corporations are still grappling with revenue shortfalls and
drops, which will impact security spending overall."

While the SEC guidance could see companies shifting their focus
to fortifying their networks and preventing cyberattacks,
Baumgartner remains "pretty confident that we will see more
breaches that could have been avoided over the next couple of
years."